0
0
Djangoframework~20 mins

Why authorization matters in Django - Challenge Your Understanding

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Authorization Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Why is authorization important in a Django app?

Imagine a Django app where users can view and edit data. What is the main reason to use authorization?

ATo control what actions each user can perform based on their role
BTo speed up the loading time of pages
CTo encrypt user passwords in the database
DTo make the website look nicer with CSS
Attempts:
2 left
💡 Hint

Think about keeping data safe and limiting access.

component_behavior
intermediate
2:00remaining
What happens if a Django view lacks authorization checks?

Consider a Django view that shows user profiles but has no authorization. What is the likely outcome?

AThe view will automatically block unauthorized users
BAny logged-in user can see all profiles, even those they shouldn't access
CThe server will crash with an error
DUsers will see a blank page
Attempts:
2 left
💡 Hint

Think about what happens when no rules limit access.

state_output
advanced
2:00remaining
What is the output of this Django authorization code snippet?

Given this Django view code, what will be the HTTP response status if a user without 'can_edit' permission tries to access it?

Django
from django.contrib.auth.decorators import permission_required
from django.http import HttpResponse

@permission_required('app.can_edit')
def edit_view(request):
    return HttpResponse('Edit page')
A200 OK with 'Edit page' content
B404 Not Found error
C403 Forbidden error
D500 Internal Server Error
Attempts:
2 left
💡 Hint

What does the decorator do when permission is missing?

📝 Syntax
advanced
2:00remaining
Which Django authorization code correctly restricts access to staff users only?

Choose the code snippet that properly restricts a view to staff users.

A
from django.contrib.admin.views.decorators import staff_member_required

@staff_member_required
def staff_view(request):
    return HttpResponse('Staff only')
B
from django.contrib.auth.decorators import login_required

@login_required
def staff_view(request):
    if request.user.is_staff:
        return HttpResponse('Staff only')
    else:
        return HttpResponse('Access denied')
C
from django.contrib.auth.decorators import user_passes_test

def is_staff(user):
    return user.is_staff

@user_passes_test(is_staff)
def staff_view(request):
    return HttpResponse('Staff only')
D
def staff_view(request):
    if request.user.is_staff:
        return HttpResponse('Staff only')
    else:
        return HttpResponse('Access denied')
Attempts:
2 left
💡 Hint

Look for the built-in decorator designed for staff access.

🔧 Debug
expert
3:00remaining
Why does this Django authorization check fail to block unauthorized users?

Review this Django view code. Why does it allow users without 'can_view' permission to access the page?

Django
def view_page(request):
    if request.user.has_perm('app.can_view'):
        pass
    return HttpResponse('Page content')
AThe view lacks a login_required decorator
BThe has_perm method is misspelled and always returns true
CThe HttpResponse should be replaced with render()
DThe permission check does nothing because the return is outside the if block
Attempts:
2 left
💡 Hint

Check where the return statement is placed in relation to the permission check.